Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2018-15397 | Cisco Adaptive Security Appliance (ASA) Software | primary_impact | T1529 | System Shutdown/Reboot | |
| CVE-2019-1817 | Cisco Web Security Appliance (WSA) | primary_impact | T1529 | System Shutdown/Reboot | |
| CVE-2018-18995 | ABB GATE-E1 and GATE-E2 | secondary_impact | T1529 | System Shutdown/Reboot | |
| CVE-2015-7925 | n/a | uncategorized | T1529 | System Shutdown/Reboot | |
| action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1529 | System Shutdown/Reboot | |
| aws_rds | AWS RDS | technique_scores | T1529 | System Shutdown/Reboot |
Comments
AWS RDS generates events for database instances and includes the following events that may indicate that an adversary has shutdown or rebooted the database instance.
RDS-EVENT-0006: The DB instance restarted, RDS-EVENT-0004: The DB instance shutdown, RDS-EVENT-0022: An error has occurred while restarting MySQL or MariaDB
This mapping is given a score of Partial because it can't differentiate between an authorized and unauthorized shutdown/reboot.
References
|
| amazon_inspector | Amazon Inspector | technique_scores | T1529 | System Shutdown/Reboot |
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal.
References
|